How to Protect Valuable Information

I need to store a password and username in struct. Is there anything I can do to prevent other people from viewing the memory of the process and the user’s information? My first thought was to encrypt the information in memory but then it would have to store a key in memory somewhere, which could still be retrieved. Is there a safer method that I’m missing?

Popular White Paper On This Topic

It is not getting into your processes memory that is the weak part. Other process cannot read your memory.

The weak part is where your code is stored on disk, either as source (easy to hack into), a backup of your source (less easy, but not normally having the same file protection bits), and as a binary compiled (not easy, but possible).

If your site has a policy to expire passwords, it also gives you a maintenance nightmare to embed usernames and passwords in code, and hostnames too.

I work with some software which gets the encrypted password from the registry. When the password expires,
another program prompts the user for the password and key so it can encrypt the password and place the
new version in the registry. There is no stored password or key on your disk.

A good operating system, properly configured, should protect RAM allocated to your app from being read by other programs. (But be careful of root / Administrator users and associated passwords).
The storage of keys in files is always an issue, but using strong encryption should help here.
If you need industrial strength protection (as used by banks, the military, etc.) then you are looking at custom hardware encryption machines, for which you will pay through the nose.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.